Students gleefully teach admins that mobile device management is hard

Unsurprisingly, high school students given iPads quickly “hack” them.

Put an iPad in a teenager's hands and the adolescent will quickly try to figure out the limits of what can and can't be done with it; send a school-provided iPad home from school with that teenager and there's a good chance it will come back with its security restrictions blown wide open. This is what has happened with students at Theodore Roosevelt High School in Los Angeles, which, according to the LA Times, has suspended its school-wide rollout of iPads after nearly 300 students "hacked" their school-provided devices to remove app and browser limitations.

Based on the information provided in the LA Times article, it appears that the Los Angeles Unified School District relied on simple ActiveSync profile restrictions in order to apply security policies to the students' iPads:

Roosevelt students matter-of-factly explained their technique Tuesday outside school. The trick, they said, was to delete their personal profile information. With the profile deleted, a student was free to surf.

ActiveSync profiles are one of several ways to manage security policies on iOS devices—with them, system administrators can provide not just a connection to an organization's Microsoft Exchange infrastructure, but also enforce passcode and remote wipe standards, limit Web browsing, and enforce remote installation of apps, as well as many other parameters. An ActiveSync profile is easily installed—and it's also easily removed.

One student interviewed by the Times gave a succinct answer when asked why the "hacking" was happening: "[T]hey took them home and they can't do anything with them," said Alfredo Garcia, a senior.

An employee who tampers with or removes a business-mandated ActiveSync profile from their iDevice at the very least limits his access to e-mail and calendering, and at worst faces disciplinary action. Students gifted with locked-down iPads, on the other hand, almost certainly don't care about their school e-mail accounts and they don't have to worry about being fired.

Actually employee-proofing (or student-proofing) a tablet requires a lot more than a simple profile—this is a case where a dedicated mobile device management solution is required. Full MDM solutions typically provide a lot more manageability and security options than are available with ActiveSync profiles, and they are also by design a great deal more difficult to remove or work around. The LA Unified School District's plan was to roll out iPads to every one of the 640,000 students in the district, which is the nation's second-largest; an MDM solution at that scale could cost many millions of additional (unbudgeted) capital and operational dollars.

That level of associated expense, along with either ignorance or crazy optimism about ActiveSync profile capabilities, are almost certainly the reason why mobile device management wasn't included with the iPad program. The district's rollout is currently on hold in the wake of the "hack" as officials evaluate what to do next.

Lee Hutchinson
Lee is the Senior Technology Editor at Ars and oversees gadget, automotive, IT, and culture content. He also knows stuff about enterprise storage, security, and manned space flight. Lee is based in Houston, TX. Emaillee.hutchinson@arstechnica.com//Twitter@Lee_Ars

Even when you do real security, students will almost always find a way. They may boot linux on a school-provided laptop, they may try and delete the data, etc...

In some respects, I think we should generally encourage students to tinker in such ways, but without compromising the security of all these devices. If only some of these students were so motivated to get things other than browsing the web on their iPad.

Also, I really don't think iPads are honestly the best option for students at this point. Maybe someday when all their textbooks will be on it, sure, but until then, a laptop on which students can actually learn things about computers, type up reports, and heck, maybe even learn to program would probably be better suited, and honestly probably cheaper too. I'm worried that a lot of schools get this "iPads are good" idea, and don't really think about why they are or how to best use them, and end up wasting tens of thousands of dollars that they could have spent on more useful things.

Textbooks and pencils work just as fine now as they did 30 years ago for me.

Actually iPads could end up saving money to a school district. Text books can be gotten on iPads and if you just give the inc freshmen iPads from the outgoing seniors (+ a few new ones) you can easily save money from having to buy all those dead tree text books.

Likewise I'm not sure the last time you were in school but when I was in HS (~10yrs now) if I had all of my text books in my bag it weighed half my weight and I'm not a small person.

Not to mention forgetting a text book in a locker/home when you need it. An iPad can solve all of those problems.

Textbooks and pencils work just as fine now as they did 30 years ago for me.

Don't know why they could not have just done what my school did and buy a whole bunch of iPads, but not one for every student. Throw them in carts, and then if the teacher feels like a certain lesson could be aided by the iPads, the teacher just reserved the iPads for that one or two class period(s). Far more cost-effective, and less worrying about eliminating security profiles, assuming the teachers are being even the least bit observant.

Textbooks and pencils work just as fine now as they did 30 years ago for me.

Sure. But iPads give students (and faculty) much needed technology familiarity. And have you seen the price of textbooks? I'd bet iPads are cheaper in the long run.

The money would be better spent on real tech teachers with a lab full of devices. Getting and using an ipad in no way results in increased tech familiarity. All you learn is the UI fad de jour, which you probably already learned on your own personal device. You learn nothing about fundamentals.

I used to work for a school district as a system admin and when they wanted to bring in iPads, I researched the issue and pointed out that we would need a new firewall that was compatible with the devices for content filtering, massive changes to our network, and changes to our file and print infrastructure and that it would not be cheap or easy. I was told by our administration that I was "not being a team player" and that "of course it wouldnt be successful with such a negative attitude." They ordered and distributed them anyways without going through IT for testing or inventory and werent planning on even investigating MDM solutions for another 6 months. That is a big reason why I no longer work there.

Sure. But iPads give students (and faculty) much needed technology familiarity. And have you seen the price of textbooks? I'd bet iPads are cheaper in the long run.

Textbooks are a racket, although for most everything in primary education, a state-backed FOSS model of textbook publishing is probably going to be the cheapest route, and yield the best results. As for 'technology familiarity', I'm not sure if the iPad is really conducive to productivity or understanding of technology.

Result: kids have their functional tools, school is covered from liability.

They are a piece of school property that are meant to be used for learning. I see no issue with limiting what these devices can do. They aren't toys.

And they'll learn more with an unrestricted device. I don't have the link, but it reminds of me of a post arguing how students playing games on their TI-8x calculators was actually great for education because the process of installing (and subsequently hacking) the game code on each of their calculators taught students a good deal about programming.

Textbooks and pencils work just as fine now as they did 30 years ago for me.

I agree that we should stop placing $500 tablets in the hands of students, but for different reasons.

An iPad given to a student seems to me like a very new and hip way to improve the educational experience, but I kind of feel like placing better emphasis on the student-teacher interaction, teacher quality, teaching standards and the actual learning process may have a better outcome then rampant consumer technology rollouts.

Don't get me wrong, I fully believe in the power of technology to educate, but this seems like a Band-Aid solution to me. Sticking an iPad in the hands of students won't solve the many problems that this nation's public education system is facing.

Result: kids have their functional tools, school is covered from liability.

They are a piece of school property that are meant to be used for learning. I see no issue with limiting what these devices can do. They aren't toys.

And they'll learn more with an unrestricted advice. I don't have the link, but it reminds of me of a post arguing how students playing games on their TI-8x calculators was actually great for education because the process of installing (and subsequently hacking) the game code on each of their calculators taught students a good deal about programming.

I used to play games on my TI-83. I didn't learn squat from it, except how to avoid doing schoolwork.

They are assigning these students tools to enhance their learning, it makes a lot of sense to make sure they aren't using them for other purposes.

Textbooks and pencils work just as fine now as they did 30 years ago for me.

Probably trolling, but I'll answer anyway as I work in education and see this attitude quite often.

Why do we need fancy technology like textbooks and pencils? Chalk and slate worked just fine. So did hand-copied scrolls on parchment. Calculators? forget it. Abacus works just as well...I could go on...

It's not that they NEED the ipad to learn, but they need to learn on the medium of the day. The medium of today is digital, and that's how we should teach if we want our students to actually engage with the material.

ActiveSync profile = the e-mail account for the exchange server. Exchange admins and their management want some level of control before they allow the device to connect to their server. Such as requiring a pin to unlock the device, or not allowing certain apps installed on the device. When user removes their exchange account from the device they are no longer bound by those restrictions. Device stops connecting to the server and those who run the server no longer care what's going on with the device.This isn't hacking! That's by design.

If somebody at Microsoft isn't pulling aside a couple crates of Surface Pros to send to Los Angeles, their PR guys need to be fired. The level of control they can exert on a full domain device would be higher, no?

Send them a bunch of keyboards in the school colors of each school district and you have a PR coup.

Result: kids have their functional tools, school is covered from liability.

unfortunately that is not an option due to something called the Children's Internet Protection Act which requires internet devices to be managed and locked down for content filtering. Handing an unlocked technology device to children is a horrible idea for more reasons than the legal however.

Also, people talking about the cost of the iPad compared to textbooks are forgetting the support cost and the additional cost of systems such as wireless networks, firewalls, MDM software, etc. that are required to implement such things properly that simply do not exist with a standard textbook.

Reminds me of the earlier non-commercial, non-personal use of the Internet... just a stupid policy to have in the first place when you know people are always going to find some way to waste resources. It's called being human.

Textbooks and pencils work just as fine now as they did 30 years ago for me.

Actually iPads could end up saving money to a school district. Text books can be gotten on iPads and if you just give the inc freshmen iPads from the outgoing seniors (+ a few new ones) you can easily save money from having to buy all those dead tree text books.

Likewise I'm not sure the last time you were in school but when I was in HS (~10yrs now) if I had all of my text books in my bag it weighed half my weight and I'm not a small person.

Not to mention forgetting a text book in a locker/home when you need it. An iPad can solve all of those problems.

Your assumption is based on the myth that the iPad will last as long as a textbook...

If somebody at Microsoft isn't pulling aside a couple crates of Surface Pros to send to Los Angeles, their PR guys need to be fired. The level of control they can exert on a full domain device would be higher, no?

Send them a bunch of keyboards in the school colors of each school district and you have a PR coup.

Absolutely. Group policies. They can be bypassed if the local user is an administrator though. They'd need to give limited user rights to the students, and then to do any sort of hacking the kids would need to resort to real stuff such as privilege escalation vulnerabilities. If someone is willing to go that far then I'm not sure that any technology based solution would stop them. A nun with a steel ruler would.

Textbooks and pencils work just as fine now as they did 30 years ago for me.

Sure. But iPads give students (and faculty) much needed technology familiarity. And have you seen the price of textbooks? I'd bet iPads are cheaper in the long run.

iPads don't magically come with textbook files loaded on them. You have to pay the book publishers for those. I can't say for sure, but I'd guess that those are at best marginally cheaper than paper books - not enough to offset the $500 you're sinking into the iPad.

As for technology familiarity - maybe, but why get a very expensive, relatively powerful tablet? An e-reader or sub-$300 Android tablet would accomplish the same ends at a lower cost.

If the ipad is needed for some aspect of school work, just make sure it doesn't work anymore (for that aspect of school work) once the ipad is "hacked." If the student can't use it for the required purpose, he will be quickly found out and forced to restore unhacked operation or face incomplete classwork.

If the ipad is not needed for some aspect of school work, don't buy it.

So what about long term costs? Many schools get these as a grant, so they give them out. It's a work computer, not my own, so many people (especially students) aren't as nice to them. put it in the backpack and the backpack gets thrown to the ground now and then.

Ipads break, now where is the maintenance/replacement money coming from? another grant or taking money from other things?

tablets have their place in school, but it is not the teacher, just like teachers couldn't rely on just VHS or DVD when they came out. they can enhance, but they cannot replace.